Port Forwarding with SD-Branch

Reading Time: 6 minutes

After some time of absence, I’m back now, with a new lab in a new home. So I can build new cool stuff to test different and new setups. One part of the new LAB is SD-Branch and as I use my Synology Diskstation to backup this blog I need to create a rule to allow access from the internet to my disk station. So I need to set up port forwarding with the SD-Branch gateway running my internet connection at home.

Before that, I used my Comware based router for my internet connection and had all the port forwarding there. With SD-Branch this function is now in my 7005, acting as the Branch Gateway (BGW). Even if the configuration, compared to the Comware based router, is different it is easy and comprehensible.

The Default WAN Protect ACL

On each BGW there is a default ACL, protecting the WAN side of the BGW and is applied to all ports which are marked as WAN port. Below is the content of this ACL:

ip access-list session wan-uplink-protect-acl
    any any sys-svc-dhcp permit 
    ipv6 any any sys-svc-v6-dhcp permit 
    any any sys-svc-esp permit                     
    any any sys-svc-natt permit 
    any any sys-svc-ike permit 
    any any sys-svc-icmp permit 
    ipv6 any any sys-svc-icmp6 permit 
!

If you talk to security people they would make this ACL even tighter and it is absolutely up to you to change this ACL to your needs. For my needs, the default ACL is enough. At least at the moment. So, but why do I’m talking about this ACL. I will use this ACL to allow access to internal resources, like my DiskStation to allow the backup.

The ACL above is applied to every incoming packet on the WAN port, except those which already have outgoing connections. So if my webspace tries to do the backup via FTP this ACL does not allow FTP access and the packets are dropped. So first of all, make a copy of this ACL, as I will never encourage you to make changes to those default settings. We will always work with our own created stuff. So the first step would be, to create a new ACL with the same content as the one above. To create the new ACL login to Aruba Central and head over to the group or gateway you would like to configure. I create that kind of settings on the group level and if not generally valid for the whole group apply them on the device level. To create the new ACL switch from “Basic Mode” into the “Advanced Mode” and go to “Security–>Policies” and create the new ACL with a click on the plus sign:

Port Forwarding with SD-Branch - Create new WAN ACL
Port Forwarding with SD-Branch – Create new WAN ACL

Just leave the “Policy type” with “Session” and set the “Policy Name”. Afterward, you can click the “Save Settings” button and you have created the new ACL. Now you can start creating rules for that ACL by selecting the ACL in the list. A new table will open and you can start adding rules by clicking the plus sign:

Port Forwarding with SD-Branch - Add Rules to ACL
Port Forwarding with SD-Branch – Add Rules to ACL

The above is an example to allow DHCPv4. At the end of the ACL there is an implicit deny all. So only allow what you are really want to have. Proceed with as many rules as you need.

The Port Forwarding Rules

After you created all the rules needed, you can start creating the port forwarding rules. Ahh, not that fast. There are some useful config items available, which will make your life easier in the future. As I will forward FTP traffic from a specific static IP I will create a “Network Aliases” for this IP. I can use this alias in the rule and I can change that alias without ever touching the ruleset again if my web host might change in the future.

To create the alias (in the controller world this is known as netdestination) go to “Security–>Aliases” and click the plus sign in the table “Network Aliases” to create a new alias:

Port Forwarding with SD-Branch - Add Network Aliases
Port Forwarding with SD-Branch – Add Network Aliases

In the “Items” table just create as many items as needed and afterward click the “Save Settings” button.

You can do the same with services. If you need to forward specific ports, which normally correspond to apps or services you can define those on the same page under “Service Aliases”.

Now it is time to create the forwarding rules. Go back to the created policy and add another rule. This time we use the created aliases to create a destination nat rule like this:

Port Forwarding with SD-Branch - Add Forwarding Rule
Port Forwarding with SD-Branch – Add Forwarding Rule

The “Source” is “Alias” and the “Source alias” is the created one, just before. For the “Service alias”, I used the predefined “svc-ftp” alias, as I do not need to create a new one.

The interesting part comes with the “Action”. Here you enter “Destination NAT”. You now select whether to use a “Name” or “IP” and enter the internal destination for the forwarding, including the port.

Afterward, simply save the policy.

Apply the Policy to the Port

The last and final step is to apply the policy as a per session ACL to the WAN port. Just go to “Interface–>Ports” and select the WAN port. The config of the port might look like this:

Port Forwarding with SD-Branch - Add Policy to the WAN Port
Port Forwarding with SD-Branch – Add Policy to the WAN Port

The important part is the “Policy” config. The rest might differ, depending on your requirements. After saving the new policy to the WAN port you might need to reset the port. At least I had to.

Additional Steps for non-default Ports

If you use non-default ports for the forwarding, something above 1024 you might also need to allow those ports to be received and processed by the controller. This is needed, as the controller itself is the destination of the packet and the controller needs to forward the packet. It sounds complicated but is very simple.

Just head over to “Security–>Advanced” and select the “Acl White List” section. This table includes all traffic types, which are allowed to be received and processed by the controller. Traffic, which is purely forwarded by the controller, like the client to client or client to server traffic is not affected by this list. Only traffic destined for the controller itself is affected.

If you use ports that are non-default and which are not in this list, the traffic for those ports will not be forwarded. So you simply need a new rule to allow those ports. As I was using FTP in the example above, I do not need to add anything to this list, as FTP traffic is already allowed by this list. But I need to forward another port, which is TCP port 5001. And this port is not allowed by the ACL Whitelist. So I need to add this port to the list.

Just hit the plus sign at the bottom of the list and enter the details like this:

Port Forwarding with SD-Branch - Add ACL Whitelist Entry
Port Forwarding with SD-Branch – Add ACL Whitelist Entry

First, you select “permit” for the “Action” and “any” for the “Source”, except there is a specific source for that type of traffic. The important part is “IP protocol number”, here you have to enter 6 for TCP or 17 for UDP, just for example. Depending on your type of traffic you can enter different values, but those might be the obvious ones. Afterward, enter the port range and save the new rule.

This will allow the controller to process traffic, coming in on port 5001 in my example and if you have the destination NAT rule in place, will forward this traffic to the internal device.

If you find this post useful, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and tell me what you don’t like. But whatever you do, leave me a comment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: